Stop users from adding or changing rights on shared or home folders

Posted on 2005-04-06
Last Modified: 2013-12-04
We have a Windows Server 2003 two-node cluster that we're using for home folders and regular shared folders for our users.  I come from a Novell background, so, am used to stopping users from being able to change rights to their home or shared folders, yet still do anything they want IN their folders, and, I need to be able to do the same using NTFS permissions.

I also need to run Disk Quotas, to limit each user to a certain amount of file storage.  These two wants seem mutually exclusive.

I understand to stop users from changing file permissions, I just need to remove the Atomic Right Change Permissions, but, I also understand that if a user Owns a file or folder, then they can do anything they want to the permissions of that file or folder, and, unless they own their files, Disk Quotas has nothing to count.

What's the answer?

Question by:wbradley
    LVL 12

    Accepted Solution

    Why do you want to prevent the users from changing NTFS permissions?  If the purpose is to prevent them from leaving their home directories open to others, why not just restrict the share permissions and leave them with full control of the files and folders?  

    You should be able to take away ownership or full control of the *share* from the users without affecting their control or ownership over the folders.   Even if other users have permissions on the folders, they won't be able to get to them if they have no permissions on the share.
    LVL 38

    Expert Comment

    by:Rich Rumble
    You can do this easily. Calcs or XCalcs can do these in a script;EN-US;825751
    Deny then "C" and "D" and they cannot change or take ownership;en-us;320046
    With any program or technique your not very fimilar with, take caution and TEST TEST TEST before making this a live change or rolling this out. Be sure to back up all data before hand as a precaution.
    Here is a good summary also to help you

    Another good utility is: setacl

    Author Comment

    Carlo, our Home Folders and Shared Folders are setup so that each are accessible via a single share (two different shares for each type of folder) above the level of the actual folder itself, with Everyone getting Full Rights, and only the user or group having rights on the folder itself, so, if they have ownership, they can allow anyone to get in, or worse, remove critical groups like System or Administrators.  Since these folders are all on a cluster, I didn't want to use individual shares for EACH folder.  Thanks.

    Rich, I CAN change rights on the folders any way I want, but, if I want to use Disk Quotas, the user has to have ownership, and, once they have ownership, then, no matter what restrictions they had, they can now do anything that they want.  Thanks.
    LVL 4

    Expert Comment

    wbradley, carlos is correct (if I understand him correctly).  The home share should be set to modify.  If you set it to full control, then the owner of a file or folder can change permissions irregarless of how you set ntfs permissions.  By setting the share to modify, you can configure the ntfs permissions the way you want, and they wont be able to change it (I'd recommend not giving them full control, just modify (ntfs).  This doesn't break disk quotas unless they've taken away admin rights and you must sieze ownership to fix the ntfs settings.  And it allows the users to do everything else they need to do.

    Now if you want to force the top level user directory permissions to be immutable (\\server\home\username), but let them change the lower level permissions (\\server\home\username\wildwest), I have no idea if that is possible.

    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now